From docker-toolkit
Scans Docker images for vulnerabilities, outdated packages, misconfigurations using Trivy, Docker Scan, Grype, Snyk. Guides fixes, best practices, verification, CI/CD integration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/docker-toolkit:image-security-scannerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Scan and secure Docker images for production deployment.
Scan and secure Docker images for production deployment.
Scan an image:
docker scan myapp:latest
# or
trivy image myapp:latest
Docker Scan (built-in):
docker scan myapp:latest
Trivy (comprehensive):
trivy image myapp:latest
Grype (fast):
grype myapp:latest
Snyk (detailed):
snyk container test myapp:latest
Basic scan:
docker scan myapp:latest
Detailed scan with Trivy:
trivy image --severity HIGH,CRITICAL myapp:latest
Scan with JSON output:
trivy image -f json -o results.json myapp:latest
Review findings by severity:
Common vulnerabilities:
Update base image:
# Before
FROM node:18-alpine3.17
# After
FROM node:18-alpine3.18
Update packages:
RUN apk upgrade --no-cache
# or
RUN apt-get update && apt-get upgrade -y
Remove vulnerable packages:
RUN apk del vulnerable-package
Use distroless for minimal attack surface:
FROM gcr.io/distroless/nodejs18-debian11
Run as non-root:
USER nobody
# or
RUN adduser -D appuser
USER appuser
Remove unnecessary tools:
RUN apk del apk-tools
Use read-only filesystem:
# In docker-compose or k8s
read_only: true
Add security labels:
LABEL security.scan-date="2024-01-15"
LABEL security.scanner="trivy"
Re-scan after fixes:
docker build -t myapp:latest .
trivy image myapp:latest
Compare before/after:
# Before: 15 HIGH, 5 CRITICAL
# After: 2 HIGH, 0 CRITICAL
CI/CD Integration:
# GitHub Actions
- name: Scan image
run: |
docker build -t myapp:${{ github.sha }} .
trivy image --exit-code 1 --severity CRITICAL myapp:${{ github.sha }}
Pre-deployment scan:
#!/bin/bash
IMAGE=$1
trivy image --severity HIGH,CRITICAL $IMAGE
if [ $? -ne 0 ]; then
echo "Security vulnerabilities found!"
exit 1
fi
Scheduled scans:
# Cron job to scan running images
0 2 * * * trivy image --severity HIGH,CRITICAL $(docker images -q)
Minimal base image:
FROM alpine:3.18
# or
FROM gcr.io/distroless/static-debian11
No secrets in image:
# Bad
ENV API_KEY=secret123
# Good
# Pass at runtime
docker run -e API_KEY=$API_KEY myapp
Health checks:
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -f http://localhost:8080/health || exit 1
Limit capabilities:
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp
Outdated base image:
# Vulnerable
FROM node:16-alpine
# Fixed
FROM node:18-alpine3.18
Exposed secrets:
# Vulnerable
COPY .env .
# Fixed
# Use runtime secrets
Running as root:
# Vulnerable
CMD ["node", "server.js"]
# Fixed
USER node
CMD ["node", "server.js"]
Unnecessary packages:
# Vulnerable
RUN apk add curl wget git vim
# Fixed
RUN apk add --no-cache curl
Docker Scan:
Trivy:
Grype:
Snyk:
For production deployments:
npx claudepluginhub p/armanzeroeight-docker-toolkit-plugins-docker-toolkitScans container images and Dockerfiles for vulnerabilities, misconfigurations, and compliance using Trivy, Grype, Snyk, and Hadolint. Generates reports with remediation steps and CI/CD integration.
Hardens Docker containers against privilege escalation, image vulnerabilities, and container escape using non-root users, minimal base images, and security profiles.
Review container security including image scanning, runtime policies, and supply chain integrity.